A pact underpinning billions of dollars of transatlantic data transfers will undergo its first annual review on Monday, with Europe seeking to ensure Washington has lived up to its promises to protect the data of European citizens stored on U.S. servers.
Feted as a milestone in transatlantic relations, which had soured after revelations of mass U.S. surveillance four years ago, the EU-U.S. Privacy Shield data pact has been in place for just over a year.
It was hammered out after the European Union’s top court struck down a previous data transfer pact in 2015 because it allowed U.S. spies excessive access to people’s data, plunging everyday cross-border data transfers into legal limbo.
However, it is already subject to two legal challenges in European courts on the grounds that it does not offer adequate privacy protections for European citizens’ data, and EU data protection watchdogs have also expressed misgivings.
The first annual review taking place on Monday and Tuesday will be an opportunity for the European Commission, which negotiated the Privacy Shield, to ensure it is functioning well and that the U.S. administration is keeping its part of the deal.
“My expectation is that we will find Privacy Shield functioning, we might find some space or room for improvement,” Vera Jourova, EU Justice Commissioner, told Reuters in an interview. The Privacy Shield seeks to strengthen the protection of Europeans whose data is moved to U.S. servers by giving EU citizens greater means to seek redress in case of disputes, including through a new privacy ombudsman within the State Department who will deal with complaints from EU citizens about U.S. spying.
However a new ombudsman has not been appointed under the new U.S. administration, something Jourova said she will push for.
Companies wanting to transfer Europeans’ personal data outside the bloc have to comply with tough EU data protection rules which forbid them from transferring personal data to countries deemed to have inadequate privacy protections unless they have special legal contracts in place.
The Privacy Shield allows firms to move data across the Atlantic without relying on such contracts, known as model clauses, which are more cumbersome and expensive.
Over 2,400 companies are signed up to the scheme including Alphabet Inc’s Google (GOOGL.O), Facebook (FB.O) and Microsoft (MSFT.O).
“Virtually every transaction in the trillion-euro transatlantic trade relationship, from the movement of services and capital to the movement of goods and people, heavily relies on the transfer of data between the EU and U.S.,” said Thomas Boue, Director General, Policy, EMEA for BSA, which represents the likes of Apple (AAPL.O), Microsoft and IBM (IBM.N).
The Commission is also seeking to find out figures for how many requests for people’s data companies had received from U.S. authorities.
“The million dollar question was how many times they were asked by the national secret service,” Jourova said. “This is of big relevance for assessing whether Privacy Shield is successful.”
The Commission will produce a report with its conclusions on the review of the Privacy Shield in October.